Author: admin

Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity. Today we consider the TRADES Framework uplift evaluation with Brandon Daniels, resident, Global Markets and Josh Thiel, Executive Intern (Former Commander of Special Operations Task Force).
Daniels said the TRADES Framework began with the “basics and those basics included the three lines of defense, and that’s what you’ve heard in the T the R the A and the D that have come before us. You’ve heard about how you as a first line of defense, as a business, as a business function, as maybe a compliance function working with the business as a sort of middle office build transparency into your supply chain. That’s good for business dynamics, but that’s good for compliance dynamics too. And as we know, good compliance is good business, right? And so, when you think about the journey you’ve been through across the T the R the a and the D, transparency, and then your risk methodology linking to your strategic objectives, is a critical first line of defense function.”
Next is the second line of defense. Here an organization assesses its priorities and ensures mitigation of risk. Through the TRADES Framework, you can blend the first and second lines of defense. Daniels continued, “the only way that you can achieve new levels in risk management and compliance maturity, the only way that you can know that what you’ve done in your T, R, A and D elements is to next incorporate the third line of defense. That is where the ‘E’ comes in, Evaluate Framework Uplift.
You have to take the efficacy of the prior four parts of this process, and you are assessing them from an independent and objective perspective. Some  of the questions you would ask include “Do you actually have the right vendors? Do you have the data associated with those vendors to support your risk assessment? Are you biasing your risk assessment in any way by having insufficient data inputs? Have those check-in challenge functions that should be in disruption, mitigation been effective? Have you really truly got accountable stakeholders, or do you have compliance kind of carrying the water for the business?” These are critical questions that everyone needs to ask as they assess the impact that the T, R, A and D has made to their organization, and especially the ‘D’ then, Evaluating your Framework Uplift means you have both assess from an audit and assurance perspective, the impact of the mitigation, the adherence of mitigations and your risk acceptance.
Theil spoke to the operational perspective, beginning at the strategic level and governance. The strategic leaders, the senior leaders established the governance, establish the policies, the expectations, allocate the resources, determine Return on Investment (ROI) to see if  “they got a return on the dollar at this period in time, because ultimately the goal is to reduce the risk of the organization. That’s what the strategic leaders are assessing in the E portion.”
While some of the risks are intangible, reputational, they are hard to measure. Oftentimes the savings impact from Supply Chain risk management (SCRM) is very direct and clear, and it’s easy for the senior leaders to quantify it. Theil provided the following example from the Department of Defense (DOD), “where the DOD made an evaluation of vendor screen based on fraudulent procurement during COVID which cost the US Government $500 million. It’s a perfect example of how vendors were bidding in this frenzy, but we’re effectively screened out based on their actual ability to deliver. That was important feedback for those senior leaders as they decided in the next phase to go ahead and adopt some sort of SCRM software” and it was specifically based on Exiger software performance. At the strategic level, that’s the focus of the strategic leader.”
We then drilled down into the tactical level, where the Evaluation Phase is built on real collection of both quantitative and qualitative information. Here Theil explained a “company can easily run itself and its vendor ecosystem in the T and R phases of the maturity model; and then run itself again after the mitigation plans are implemented. By using the same risk models and dashboards, clients can clearly.”
Yet, as with other data analytics solutions in the compliance, risk management and Supply Chain space, quantitative analysis alone is not enough. I would say you must always have the human element involved. Theil phrased it as “Qualitative information is critical to add context and to answer the “why.” Why did the mitigation plan decrease or increase the risk? The tactical quantitative assessment could include techniques like questionnaires for Third Parties, internal stakeholders, transportation partners, and downstream clients.’’ Either way you phrase it, there must be a human evaluation and provision for future plans.
Join us for our concluding episode, when Brandon Daniels and Erika Peters give a review of supplier monitoring and an update on how government and critical industry are leading the charge using TRADES to out-pace threats and vulnerabilities while minimizing third party and supply chain risk management gaps. 
Resources
Exiger TRADES Framework
Exiger Website
Brandon Daniels
Josh Thiel

Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity. In this episode, I visited with Carrie Wibben, Senior Vice President, Exiger Federal Solutions   and Aaron Narva, Senior Vice President, Head of Corporate Markets on determining risk mitigations.
The next critical element of the TRADES framework is around determining the mitigation of risk—what actions or steps can and should be taken to reach a point where the specific risk of a supplier or supply chain element are well enough understood and controlled to move forward with a business relationship? Narva explained, “Determining mitigations is a delicate balance of all of the preceding elements of the TRADES framework—it’s about understanding the specific impacts that risk can have on the specific parts of your third party population, it’s about taking a risk based approach, and it’s about understanding your operational bandwidth to take specific mitigation actions and knowing when to just accept the minimal risk and move on for the operational benefit.” While most compliance professionals will be comfortable with this approach you always need to remember that no one size that fits all.
Risk management and compliance professionals seek out and rely upon frameworks that are multiple priorities, such an approach can be used to get executive stakeholder buy-in and drive budget decisions to invest in critical compliance and risk management tools and program changes to elevate supply chain risk insights and truly transform the way most organizations perform supply chain management.
Wibben noted, “This element is really about problem solving and taking specific actions to remediate risks ultimately to drive a supply chain ecosystem that is secure and resilient, but without compromising operational efficiency.  By this I mean, at this point in the framework, you have set your organization’s objectives and risk thresholds – you have considered what risk are you are willing to accept, what risks can you transfer, segregate, or otherwise mitigate, and what risks you need to immediately take action to remove or avoid altogether.” Moreover, this is the step where you separate the wheat from the chaff. The process has to be driven on a risk-based approach that allows a broad spectrum of mitigations to be used to develop your mitigation plan, to include timelines and milestones to address the supply chain risks that negatively impact the integrity and security of your supply chain.
Mitigating risks requires a high degree of both critical and creative thinking and solutioning.  Wibben said, “That’s really why I personally believe that determining mitigations is one of the most challenging elements of Supply Chain Risk Management because of really two primary things, 1) the complexity, and oftentimes, the ambiguity and constantly evolving nature of the sub-tier supplier ecosystem, and then 2) the secondary and tertiary consequences of risk mitigation work, which includes potential impacts to upstream and downstream cost, schedule, and operations.”
I asked Narva about some of the work Exiger is doing with corporate compliance functions to determine mitigations. He said, “on the corporate side, we are seeing many clients utilizing third party outreach as a form of mitigation. Third parties can provide proof of their controls, whether its corruption, environmental or cyber risk with documentation such as policies and procedures and certifications.” In the age of Covid-19, “some clients are performing an on-site audit in instances of very high risk, but we have seen a lot of that activity move to video calls, which interestingly enough, allows clients to do more of this type of risk mitigation. At the end of the day, our clints approaches to mitigation are as varied as their business models and the risks they face.” Such risk mitigation strategies as contractual clauses, refresh periods, and risk committees are also frequently part of the risk mitigation approach, as is deeper levels of diligence, all the way up and including discreet reputational inquiries in instances where it is justified.
Join us tomorrow, where we discuss the step, evaluate the TRADES Framework uplift with Brandon Daniels and Josh Thiel.
Resources
Exiger TRADES Framework
Exiger Website
Aaron Narva
Carrie Wibben